Network Security, Patch/Configuration Management, Vulnerability Management

Killing video game characters enables remote code execution in Valve games

Video game developer Valve Corporation recently created a patch to fix a buffer overflow vulnerability in its Source SDK library that can allow for remote code execution on client and server devices.

Discovery of the flaw is credited to One Up Security, which detailed the bug on Wednesday in a blog post authored by Justin Taft, a security researcher and software engineer with the software development consulting company.

To address the vulnerability, multiple games running on the Source engine were updated, including Counter-Strike: Global Offensive, Team Fortress 2, Half-Life 2: Deathmatch, Portal 2, and Left 4 Dead 2.

The flaw can be exploited by killing another player in the game, causing a specially crafted ragdoll model to be loaded, Taft explains in the post, warning that remote code execution bugs in games can be leveraged to create a botnet or spread ransomware.

Taft urged third-party mod developers to apply that patch, and said they can also mitigate the vulnerability by enabling ASLR (Address space layout randomization) for all executables.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.